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Motivation 


Many  (DoD)  systems  are  Cyber-Physical 

•  Software  tightly  coupled  with  physical  world 

•  Increased  scale,  complexity,  autonomy 

-  Pilot  Ejection  =>  IMA  =>  Multi-UAS  Missions 

Current  DoD  T&E  regimen  is  expensive  &  inadequate  to  assure  CPS 

•  Testing-based  (poor  coverage) 

•  Sufficient  assurance  needed  for  Certification 

Rigorous  assurance  of  CPS  must  include  at  least  timing,  functionality,  and 
coordination 

•  Taskl  :  Timing  =^>  Schedulability  analysis:  multicore  and  memory  interference 

•  Task  2:  Functional  =^>  Model  Checking:  scalability,  physical  laws 

•  Task  3:  Coordination  =^>  Prob.  Mod.  Checking:  compositionality,  uncertainty 
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Guiding  Scenario:  Multi-UAS  Mission 


Functional:  Tasks  Free  of 
Deadlocks  and  Race  Conditions 


Timing:  Collision  Avoidance 
Tasks  Must  Meet  Deadlines 


Coordination:  Optimal  Coverage 
Within  Mission  Limit 


Timing,  functional  correctness,  and  high-quality  coordination  are  critical  to  success  of 
modern  CPSs.  Each  must  be  assured  for  high  confidence  in  overall  performance. 
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Task  1:  Multicore  Challenges  for  Real-Time  Systems 

Deadline 

Parallelization 

•  Computation  time  >  Deadline 

-  Must  parallelized  to  meet  deadline 

-  Guarantee  always  finish  before  deadline 

Shared  Hardware  Resources  /  Best  Effort  Schedulers 

•  Shared  memory  system  creates  unpredictable  delays 

•  Memory  accesses  scheduled  for  average  case  hinder  worst-case 


Multiple  elements  to  coordinate 

•  Shared  cache 

•  Shared  main  memory 

•  Shared  memory  bus 
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Predictable  Parallelization 


Developed  a  staged  execution  model 


Scheduled  under  Global  Earliest-Deadline  First 

•  Most  efficient  scheduling  for  staged  execution 

-  If  task  schedulable  under  optimal  scheduler  our  scheduler  need  at  most 
twice  the  speed  to  schedule  task 


Software  Engineering  Institute 


Carnegie  Mellon  University 


Fall  2014  SEI  Research  Review 
deNiz  Oct  28th,  2014 

©2014  Carnegie  Mellon  University 


6 


Example:  Parallel  Image  Processing 

Edge  Shape  Shape 


Multicore 

Processor 


detection 
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matching 
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/  Divide  image  to  process 
’  pieces  in  parallel 
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Shared  Hardware:  Multicore  Memory  System 
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DRAM  Organization 


DRAM  Rank 


Command  bus 


DRAM  Chip 
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DRAM  access  latency  varies  depending  on  which  row  is  stored  in  the  row  buffer 
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Norm,  execution  time  (%) 


Impact  of  Memory  Interference 


•  1  attacker  ->  Max  5.5x  increase 

•  2  attackers  ->  Max  8.4x  increase 

•  3  attackers  ->  Max  12x  increase 


We  should  predict ,  bound  and 

reduce  the  memory  interference 
delay! 
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r  r  rn 

12x  increase 
observed 


black-  body-  canneal  ferret  fluid-  freq-  ray-  stream-  swap-  vips  x264 

scholes  track  animate  mine  trace  cluster  tions 


Timing  Analysis  with  Bank  Partitions  (private/shared) 


Explicitly  considers  the  timing  characteristics  of  major  DRAM 
resources 

•  Rank/bank/bus  timing  constraints  (JEDEC  standard) 

•  Request  re-ordering  effect 


Bounding  memory  interference  delay  for  a  task 


Combines  request-driven  and  job-driven  approaches 


Task’s  own  memory  requests 

Interfering  memory  requests 

during  the  job  execution 

Software  DRAM  bank  partitioning  awareness 

•  Analyzes  the  effect  of  dedicated  and  shared  DRAM  banks 
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Page  Coloring  with  Virtual  Memory 
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Timing  Verification:  Response  Time(Rj)  <  Deadline  (Dj) 
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Timing  Verification:  Response  Time(Rj)  <  Deadline  (Dj) 
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Timing  Verification:  Response  Time(Rj)  <  Deadline  (Dj) 
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Memory  Interference  with  private  banks 

*  Private  DRAM  Bank 
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Average  over-estimates  are  8% 

( 13%  for  a  shared  bank) 
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H.Kim,  D.  de  Niz,  B.  Andersson,  M.  Klein,  O.  Mutlu,  and  R.  Rajkumar.  “Bounding  Memory 
Interference  Delay  in  COTS-Based  Multicore  Systems.”  RTAS  2014.  Best  Paper. 
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Cache  Partitioning  (Coloring) 
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Coordinated  Cache  and  Bank  Partitioning 

Avoid  conflicting  color  assignments 


Take  advantage  of  different  conflict  behaviors 

•  Banks  can  be  shared  within  same  core  but  not  across  cores 

•  Cache  cannot  be  shared  within  or  across  cores 

Take  advantage  of  sensitivity  of  execution  time  to  cache 

•  Task  with  highest  sensitivity  to  cache  is  assigned  more  cache 

•  Diminishing  returns  taken  into  account 

Two  algorithms  explored 

•  Mixed-Integer  Linear  Programming 

•  Knapsack 
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Experimental  Results 


N.  Suzuki,  H.  Kim,  D.  de  Niz,  B.  Andersson,  L.  Wrage,  M.  Klein,  and  R.  Rajkumar. 

“Coordinated  Bank  and  Cache  Coloring  for  Temporal  Protection  of  Memory  Access.”  ICESS  2013. 
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Partitions  &  Scheduling  in  Parallelized  Tasks 
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Mixed  Integer-Linear 
Programming: 

-  cache+bank  partitions 
per  page 

-  Interference  between 
Parallel  segments 

-  Interference  between 
tasks 


B.  Andersson,  D.  de  Niz,  H.  Kim,  M.  Klein,  and  R.  Rajkumar.  “Scheduling  Constrained-Deadline 
Sporadic  Parallel  Tasks  Considering  Memory  Contention.”  Submitted  to:  IPDPS  2015. 
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Round-trip  parallelized  tasks  scheduling 


Measure  memory  accesses  per  page  in  a  task 

•  Modified  Valgrind  profiler  to  count  accesses  to  a  particular  virtual  page  in  a 
program  running  on  the  target  platform 

Assign  cache  +  bank  colors  to  each  page  and  test  schedulability 

•  Mixed-Integer  Linear  Programming  Formulation 

•  Outputs  page  per  color 

Modified  Memory  System  (inside  OS)  to  assign  colors  per  page 

•  Linux  variant  (Linux  /  RK) 

•  Assign  memory  reservations  (colors)  to  task  and  color  regions  to  pages 

•  Cache  +  Bank  colors 

Global  Earliest-Deadline  First  (gEDF)  implementation 

•  In  Linux  /  RK 

Stage  Synchronization  Framework 

•  For  Parallel  Staged  Tasks 

Experiments  on  Intel  i7  quad-core  8GB  RAM  +  8MB  Shared  Cache 
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Task  2:  Software  Model  Checking  Using  Over 
and  Under  Approximations 
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Result  1:  Improved 
SMC  by  Combining 
Over  and  Under 
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Task  2:  Improved  Software  Model  Checking 
Using  Over  and  Under  Approximations 
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Task  2:  Improved  Software  Model  Checking 


SAFE  UNSAFE 


Publication:  Anvesh  Komuravelli,  Arie  Gurfinkel,  Sagar  Chaki:  SMT- 
Based  Model  Checking  for  Recursive  Programs.  CAV  2014:  17-34 


RECMC 


Task  2:  Model  Checking  Results 


RECMC  vs.  PDR  Time 

2500 


Software  Verification 
Competition  2014 
Benchmarks 

Total  =  855 

RECMC  better  =  553 
PDR  better  =  232 


Spacer  vs.  PDR 
HIHSpacer=PDR 


TODO: 

Bit-vector  semantics 

Physical  laws  :  additional 
theories 


PDR  =  State-of-the-art  competitor  for  RECMC 
NOTE:  below  red  line  means  RECMC  better  than  PDR 
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Task  2:  Improved  Sequentialization  Using 
Memory  Consistency  Rules 
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1.  VC  is  generated  by  using  logical 
Lamport  clocks  that  encode  the 
priority-based  preemption  between 
threads 

2.  Further  optimization  using 
variables  “snapshots”  that  reduce 
redundant  sub-formulas  in  VC 

3.  7  times  faster  than  previous 
version  of  REK  on  benchmarks 
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Publication:  Sagar  Chaki,  Arie  Gurfinkel,  Nishant  Sinha:  Efficient  Verification  of 
Periodic  Programs  Using  Sequential  Consistency  and  Snapshots.  FMCAD  2014 


Task  3:  Probabilistic  Model  Checking  to 
evaluate  Coordinated  Multi-Robot  Missions 
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Each  robot  is  Markovian 

•  state  =  (x,y,  time,  direction,  mine -detected). 

No  physical  interaction,  e.g.,  robots  pass  through 
Property  =  Probability  of  mine  detection. 

P  =?  F (detected!  V  detected2  V  detected 3) 
Property  02  =  Probability  of  detection  and  return  to  base. 

P  =?  F (detected!  A  dir !  =  back  A  xt  =  0  A  y±  =  1 ... ) 
Property  03  =  Expected  number  of  robots  returning  to  base. 


Base  station  and 
Mine  have  disc 
model  of 
communication 


Guiding  Example 


Overall  Approach 


Modal  DTMC 
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Technical  Details 
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Computing  ( M f,  tj) 


Physically  run  Kilobot  Rt  and  force  it  to  turn  around  at  tj 

•  Discretize  time  and  space 

•  Reprogram  controller  to  “fake”  mine  detection  at  time  tj 

•  Transition  probability  matrix  of  ( M tj)  is  defined  as: 


Pis,  s')  = 


n(s,s ’) 
n(s) 


n(s)  =  no.  of  times  robot  was  in  state  s 

n(s,s')  =  no.  of  times  robot  moved  from  s  to  s'  in  one  time  step 


Tedious  to  repeat  these  experiments  using  actual  Kilobots 

•  Use  a  simulator  (VREP) 

•  Tune  parameters  to  reproduce  behavior  observed  with  real  Kilobots 


At  least  two  sources  of  error 

•  Finite  number  of  observations  &  space  and  time  discretization 

•  Both  will  remain  no  matter  how  much  effort  we  put  in 

•  How  do  we  quantify  and  bound  the  error? 
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Error  Quantification:  Fuzzy  Sampling 
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Repeat  this  process  to  obtain  P  =  {plf ...  ,pn } 
Theorem 2.  It  has  can  be  shown  that  P  has 
the  same  distribution  as  the  probability  of 
a  real  number  being  the  correct  result  given 
the  evidence  used  to  construct  projections. 
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Compute  the  90%  credible  interval 
of  P,  i.e.,  the  5th  and  95th  percentile. 
Verify  whether  actual  observations 
lie  in  this  interval. 


Perturbed  Projection  Constructed  using  Dirichlet 
distributions  with  parameter  P 


Results:  Probability  that  one  Robot  detected  the 
mine  and  returned  to  the  base  =  Success 
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0.43 

0.43 

0.29 

0.58 

5-6-2 

0.5 

0.43 

0.43 

0.28 

0.61 

5-6-7 

0 

0 

0 

0 

0 

6-1-7 

0.93 

0.96 

0.96 

0.91 

0.99 

6-5-7 

0 

0 

0 

0 

0 

7-3-5 

0.7 

0.83 

0.83 

0.72 

0.92 

7-3-6 

0.83 

0.83 

0.84 

0.74 

0.92 

7-6-1 

0.9 

0.96 

0.96 

0.92 

0.99 

♦ 


♦ 

♦ 


Softwa 


Each  projection  constructed  using  30  simulations 
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Results:  Expected  Number  of  Robots  that 
Returned  to  the  Base 


Team  in 
Release 
Order 

Observed 

Predicted 

Oneshot 

Sample 

Mean 

Sample 

5% 

Sample 

95% 

3-2-1 

2.2 

2.17 

2.17 

1.97 

2.38 

4-6-1 

1.67 

1.23 

1.23 

1.14 

1.33 

4-6-2 

0.83 

0.7 

0.7 

0.55 

0.89 

5-6-2 

0.83 

0.72 

0.73 

0.53 

0.91 

5-6-7 

0.43 

0.29 

0.29 

0.19 

0.38 

6-1-7 

1.57 

1.23 

1.24 

1.14 

1.35 

6-5-7 

0.2 

0.29 

0.3 

0.19 

0.41 

7-3-5 

0.7 

0.85 

0.85 

0.73 

0.94 

7-3-6 

1.17 

1.11 

1.12 

0.95 

1.25 

7-6-1 

1.63 

1.23 

1.24 

1.13 

1.34 

♦ 


♦ 

♦ 

♦ 

♦ 


Publication:  Sagar  Chaki,  Joseph  Andrew  Giampapa,  David  Kyle,  John  P.  Lehoczky:  Optimizing 
Robotic  Team  Performance  with  Probabilistic  Model  Checking.  SIMPAR  2014:  134-145 
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